Amazon AWS VPC VPN With BGP and PFsense
Setting up a VPC with a VPN and routes propagated over BGP was something i had recently tasked myself in work. These is how i made it work.
Firstly, i’m not going to go over setting up the VPC or even the VPN on AWS. If you are looking at building solutions like this you should already be well versed in how to do that. On that note, im also not going to go through building the firewall rules on the pfSense side either, for the exact same reason. I should also mention, this was done on the latest version of pfSense (2.2.6) Which is running on my [insert link to firewall post]
Getting the details we need
As pfSense isnt “supported” by the AWS config generator, i used the Vyatta config download as i found that easily showed me what i needed to know. Here are the main details i had to dig out from that config
- Local and remote 169.x.x.x addresses (these are used on either side of a tunnel which will be used to exchange routes. This will be in a /30 range. There are 2 IP’s the higher is usually your local IP)
- AWS Public IP Endpoint
- Pre-Shared Key
- Amazon ASN
- Know the VPC range you want to push the routes for.
Create the Virtual IP
We need to add the local 169.x.x.x address as a virtual IP to our pfSense machine. Then we need to tell pfSense to route that over the WAN interface. Here is a screenshot of my configuration:
Create the static route
Next we need to create a static route to route that ip over the WAN interface:
That is the all that needs to be done in this part of the configuration. Now its on to building the tunnels.
IPSEC Phase 1
Now we are onto creating the IPSEC Phase1. Id suggest ticking the “Disable this phase 1 entry” until we are finished all the configuration. I will split this up into 4 images as its easier to explain whats going on it each part then.
General Information: The main thing we are setting here is the Remote Gateway. This is the public IP endpoint taken from the AWS config we downloaded.
Next is the Phase 1 proposal (Authentication). This is where we will set the pre-shared key. Again, this is taken from the config we downloaded.
Next is the Phase 1 proposal (Algorithms). These details are again taken form the downloaded config.
You can leave the Advanced Options as-is. Then all thats left for us to do is to save.
Setting up the Phase 2 for the BGP exchange
Now we are getting into the proper configuration. We now have to setup the Phase 2 with the 169.x.x.x addresses from earlier. As i mentioned, this is used to exchange routes. Ill split this into 2 images, the first being the network configuration, the second being the key exchange details. For this first image, all you need to change are the 169.x.x.x addresses to match what is the config you downloaded, so just set the local and remote ip’s /30.
Oh and set a description as well.
In the second image, its just key exchange details that i used. Again, this can all be taken from the config you downloaded.
Once that is set, then save it.
Creating our second Phase 2
Now we need to create a Phase 2 for the actual networks we are using. Ill only post the network section of the config as the key exchange is exactly the same as the one above.
So this is pretty self explanatory, Set the local network in the local network section and IP range of your VPC in the remote network section.
The BGP Bit
Now is the exciting parts.
First we need to install OpenBGPD on our router. This is easily done through the packages menu in pfSense. Once this is installed, it will appear in the “Services” Menu.
There are several sections we need to setup, though each only take a couple of options, and its pretty simple.
Here we set:
- The ASN we gave when initially setting up the VPN on AWS
- Hold time – 30s as suggested inthe VPN config we downloaded
- fib-update – Yes As we want to update the kernel routing table
- Listen on IP – This the local 169.x.x.x address
- Networks – Which networks are we announcing over BGP
This is my configuration
Next in Neighbours we set the remote 169.x.x.x address
Next we add a new group, this is where we put the Amazon ASN
That should be all the configuration done. If you now go back to your IPSEC Phase 1 you created previously and untick the disable box. After about 30 seconds, you should see both tunnels come up (the 169.x.x.x and the one passing your proper networks)
Once you have seen them come up, you can check if your routes are being propagated. OpenBGPD does give you a lot of info. I wont go through it all, just show you what would suggest its working.
We can also see the number of route updates etc that have been sent. This is the bottom box.
So provided you have configured your security groups correctly and also the pfSense firewall, you should now be able to access you remote VPC over your VPN, as well as update the routes automagically.